deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #2483 from MicrosoftDocs/arc

Browse Source 
update arcsight
This commit is contained in:
Gary Moore 2020-04-07 16:48:27 -07:00 committed by GitHub
commit debdaa1422
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 39 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/TOC.md
View File

@ -583,7 +583,7 @@
##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)

64
windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
View File

@ -1,7 +1,7 @@
---
title: Configure HP ArcSight to pull Microsoft Defender ATP detections
description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center
keywords: configure hp arcsight, security information and events management tools, arcsight
title: Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections
description: Configure Micro Focus ArcSight to receive and pull detections from Microsoft Defender Security Center
keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Configure HP ArcSight to pull Microsoft Defender ATP detections
# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections
**Applies to:**
@ -28,14 +28,15 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections.
You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft Defender ATP detections.
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
## Before you begin
Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
This section guides you in getting the necessary information to set and use the required configuration files correctly.
@ -50,7 +51,7 @@ This section guides you in getting the necessary information to set and use the
- WDATP-connector.properties
- WDATP-connector.jsonparser.properties
You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization.
You would have saved a .zip file which contains these two files when you chose Micro Focus ArcSight as the SIEM type you use in your organization.
- Make sure you generate the following tokens and have them ready:
- Access token
@ -58,7 +59,8 @@ This section guides you in getting the necessary information to set and use the
You can generate these tokens from the **SIEM integration** setup section of the portal.
## Install and configure HP ArcSight FlexConnector
## Install and configure Micro Focus ArcSight FlexConnector
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.</br></br>You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
@ -79,8 +81,9 @@ The following steps assume that you have completed all the required steps in [Be
- WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
NOTE:
You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
> [!NOTE]
>
> You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
@ -114,30 +117,36 @@ The following steps assume that you have completed all the required steps in [Be
</td>
</tr>
</tr>
</table><br/>7. A browser window is opened by the connector. Login with your application credentials. After you log in, you&#39;ll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. </br></br>
If the <code>redirect_uri</code> is a https URL, you&#39;ll be redirected to a URL on the local host. You&#39;ll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You&#39;ll need to trust this certificate if the redirect_uri is a https. </br></br> If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
</table><br/>
7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.
7. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
If the <code>redirect_uri</code> is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.
If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
8. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window.
9. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
10. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
12. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
13. Select **Install as a service** and click **Next**.
13. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
14. Select **Install as a service** and click **Next**.
15. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
15. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
16. Finish the installation by selecting **Exit** and **Next**.
16. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
17. Finish the installation by selecting **Exit** and **Next**.
## Install and configure the Micro Focus ArcSight console
## Install and configure the HP ArcSight console
1. Follow the installation wizard through the following tasks:
- Introduction
- License Agreement
@ -158,18 +167,19 @@ The following steps assume that you have completed all the required steps in [Be
7. Click **Done** to quit the installer.
8. Login to the HP ArcSight console.
8. Login to the Micro Focus ArcSight console.
9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**.
10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
You can now run queries in the HP ArcSight console.
You can now run queries in the Micro Focus ArcSight console.
Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
## Troubleshooting HP ArcSight connection
## Troubleshooting Micro Focus ArcSight connection
**Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`.
**Symptom:** You get the following error message:
@ -177,7 +187,9 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof
`Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token`
**Solution:**
1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?".
2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:
`reauthenticate=true`.